ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Martin (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-20018) Document security issue related to setting security.agent.hostname.validate to false
Date Mon, 29 May 2017 17:14:04 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-20018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16028523#comment-16028523
] 

Brian Martin commented on AMBARI-20018:
---------------------------------------

[~rlevas], thank for your confirming!

> Document security issue related to setting security.agent.hostname.validate to false
> ------------------------------------------------------------------------------------
>
>                 Key: AMBARI-20018
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20018
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.4.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>             Fix For: 2.5.0
>
>         Attachments: AMBARI-20018_branch-2.5_01.patch, AMBARI-20018_branch-2.5_02.patch,
AMBARI-20018_trunk_01.patch, AMBARI-20018_trunk_02.patch
>
>
> Document security issue related to setting security.agent.hostname.validate to "false".
> If set to "false", invalid hostnames may be used in OpenSSL commands used to create the
agent-side certificates when 2-way SSL is enabled. This could lead to issues when executing
OpenSSL as described in CVE-2014-3582. See https://cwiki.apache.org/confluence/display/AMBARI/Ambari+Vulnerabilities.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message